WHITE PAPER eIDAS: A new regulation for electronic signature and business across EU borders

In 2016, the legal and business environment changed for the better in the . With the enforcement of 2014’s EU Regulation No 910/2014, also known as eIDAS (Electronic Identification and Trust Services) on July 1st, 2016, there is new promise for companies in the EU using or considering electronic signature solution to accelerate their businesses and eliminate paper-based processes. This promise extends to all companies operating in the EU, whether inside national borders or across multiple EU Member States. This white paper explains the key concepts in eIDAS, how its introduction and enforcement affects the use of electronic signature in your business, and how to best capitalise on this opportunity in a shifting landscape.

There are three concepts that are key to understanding eIDAS and its benefits: • E-Signatures are legal in the EU, regardless of their underlying technology • eIDAS defines multiple electronic signature types for use in the EU, and each is useful when using e-signature across your business • Following EU technical standards for e-signature is the EU-recommended way to comply with eIDAS and minimize the legal risk for your business

The legality of electronic signatures in the EU Electronic signatures, or e-signature have been legally recognized as valid and used in business throughout the EU for more than 15 years since the European Commission passed the landmark EU-wide Electronic Signatures Directive in 1999. eIDAS reaffirms and extends this approach, while also providing a practical, legal framework and requirements for cross-border interoperability of electronic signature between EU member states.

The true test of legality for electronic signature in any country is whether an e-signature will be admitted as evidence in court in the event of a legal challenge. eIDAS clearly outlines the continued legality of e-signature below:

“An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form…” -eIDAS Article 25, Section 1

“This Regulation should be technology-neutral. The legal effects it grants should be achievable by any technical means provided that the requirements of this Regulation are met.” -eIDAS Section 16

These two passages ensure that companies in the EU can reap the benefits of e-signature in their business without worrying about discrimination against electronic signatures, simply for being electronic.

eIDAS: A new regulation for electronic signature and business across EU borders 1 WHITE PAPER

Multiple electronic signature types are necessary to conduct business in the EU To cover all the different types of transactions necessary for business in the EU, it’s critical to be able to utilize all the different e-signature types defined under eIDAS. This includes three distinct e-signature types, defined below.

Electronic Signature Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign - eIDAS Article 3, Section 10

Advanced Electronic Signature shall meet the following requirements (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and (d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable. - eIDAS Article 26

Qualified Electronic Signature An advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures - eIDAS Article 3, Section 12 eIDAS also does not recommend specific transactions where it is most appropriate to use which kind of e-signature. These details are left to be defined by the law of individual EU member state’s national laws. In practice, the most common circumstances where EU or national law refer to specific electronic signature types include:

• Written signature exceptions for specific transactions that are written into Member State national laws • Electronic signature exceptions that prohibit e-signature use for specific transactions • Mandatory acceptance of e-signature by public sector institutions.

Written signature exceptions are found when EU Member State laws include a requirement for a ‘written signature’ for specific transactions. While there are a limited number of written signature exceptions for each country, some of these transactions are high-volume and high-value for specific industries, such as real property transfers in most EU Member States. Since eIDAS mandates that Qualified Electronic Signature be the legal equivalent of a written signature in all EU member states, even these transactions can be conducted using e-signature.

However, electronic signature or electronic document exceptions, where national law explicitly prevents the use of electronic signature, while rare, also exist. No e-signature type is legally recognized for these transactions.

eIDAS: A new regulation for electronic signature and business across EU borders 2 WHITE PAPER

Electronic Signature Types in Practice

As a general rule, electronic signature can be used for any transaction unless national law explicitly prohibits e-signature use for that transaction. In addition, transactions where a written signature is legally required can be satisfied with a Qualified Electronic Signature, as long as e-signature is not explicitly prohibited. A more comprehensive list of written signature or electronic signature exceptions and national e-signature laws around the world can be found in the E-Signature Legality Guide at http://www.docusign.com/legalityguide.

For the public sector, eIDAS defines the terms for the use of Advanced and Qualified and electronic signatures for public sector institutions in the EU. While eIDAS does not require public sector institutions use e-signature, Article 27 of the regulation goes into significant detail about e-signature standards in the public sector, specifically referring to a common set of technology standards recommended under eIDAS.

“If a Member State requires an advanced electronic signature to use an online service offered by, or on behalf of, a public sector body, that Member State shall recognise advanced electronic signatures, advanced electronic signatures based on a qualified certificate for electronic signatures, and qualified electronic signatures in at least the formats or using methods defined in the implementing acts referred to in [eIDAS].” ­-eIDAS, Article 27, Paragraph 1

While the lack of technical detail in eIDAS’s e-signature definitions reflect the technology-neutral nature of eIDAS, the technology standards (formats) referred to in eIDAS are the foundation on which e-signature interoperability between EU member states is built, especially for Advanced and Qualified Electronic Signatures. The co-existence of both technology neutrality and recommended technical standards in EU law has caused considerable confusion about whether specific e-signature technology is necessary to be considered legally valid.

eIDAS: A new regulation for electronic signature and business across EU borders 3 WHITE PAPER

Standards Matter: Adhering to technology standards maximizes your e-signature compliance and lowers your legal risk Many electronic signature providers can claim to be eIDAS-compliant, as eIDAS is technology-neutral. However, when considering business risk, it is equally important to consider how your electronic signature provider achieves compliance, especially when it comes to Advanced or Qualified electronic signatures. While eIDAS is technology-neutral, it also gives the European Commission the power to identify and recommend technical standards that give solutions the presumption of compliance with the EU-wide regulation. Specifically:

“implementing powers should be conferred on the Commission, in particular for specifying reference numbers of standards the use of which would raise a presumption of compliance with certain requirements laid down in this Regulation.” ­-eIDAS, Section 71 eIDAS goes as far as to recommend which standards-setting organisations the European Commission should rely on:

“…the Commission should take due account of the standards and technical specifications drawn up by European and international standardisation organisations and bodies, in particular the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the International Organisation for Standardisation (ISO) and the International Telecommunication Union (ITU)…” ­-eIDAS, Section 72

Many company interested in minimizing risk while conducting business in the EU borders should look for e-signature providers that follow the European Commission-recommended standards established by these independent standards bodies, specifically ETSI, CEN, ISO and ITU-T. The most compliant providers will additionally have independent accreditation to these technical standards, performed by reputable third-party auditors.

While member states cannot impose any technical standards to be followed by trust service providers, those providers can minimize risk for their customers by adhering to EU-recommended technical standards to demonstrate their compliance with the requirements for advanced and qualified electronic signatures. Cloud-based electronic signature providers can further decrease your business risk by having EU-based data centers and providing an option for cloud-integrated electronic signatures from third-party Trust Service Providers, and also providing their own qualified certificate services by being a certified member of the EU Trusted List of Certification Service Providers.

Legitmisation of Cloud-based and Mobile Signing in the EU eIDAS directly addressed the shortcomings of the 1999 Directive on Electronic Signature through mandatory and simultaneous enforcement across all EU member states on July 1st, 2016 and creating a practical, clear mandate for e-signature interoperability across EU Member States. This includes ensures the mutual recognition of Qualified Electronic Signatures between member states where they are required, like in the public sector—traditionally one of the most conservative industries

eIDAS: A new regulation for electronic signature and business across EU borders 4 WHITE PAPER

in adopting new technology. It also legitimized cloud-based and mobile e-signatures by explicitly allowing Qualified Trust Service Providers to ‘manage signature creation data on behalf of the signatory’ (eIDAS, Annex II, Section 3)

Where previously, both EU law and recommended technology standards only recognized smartcard or USB token-based signing devices for the most stringent types of e-signature, eIDAS now formally recognizes cloud-based electronic signatures. Electronic signature providers, can manage remote electronic signature creation devices, and are required to follow additional technical and security standards to ensure that signature creation is under the sole control of the signatory1. This specific recognition of remote signing lends further legal assurance for companies looking for easy-to-use, cloud-based electronic signature solutions to increase e-signature adoption on the web and on mobile devices.

Conclusion Companies operating in Europe have benefited for more than a decade from the use of electronic signatures. These companies will see these benefits accelerate and grow with the enforcement of eIDAS, especially for transaction that cross country borders within the EU.

However, even with the simplification and standardization provided by eIDAS, these challenges are best mitigated by choosing an e-signature service providers that provide all the different e-signature types defined by eIDAS, is independently accredited against European Commission-recommended technical standards for e-signature, and one with international reach and experience to accommodate your business both inside and outside of Europe. And most importantly, trust service providers should make e-signature solutions fit your business, whether your eIDAS-compliant solution needs to be 100% cloud-based with integrated cloud-based digital certificates for ease-of-use, or accept card or USB-token digital certificates with hardware readers.

For more information on DocuSign digital transaction management and e-signature solutions and their compliance with eiDAS, contact your DocuSign sales representative or email [email protected].

eIDAS: A new regulation for electronic signature and business across EU borders 1Regulation (EU) No 910/2014 (52)

About DocuSign

DocuSign® is changing how business gets done by empowering anyone to send, sign and manage documents anytime, anywhere, on any device with trust and confidence. DocuSign and Go to keep life and business moving forward. For U.S. inquiries: toll free 866.219.4318 | docusign.com For EMEA enquiries: +44 203 714 4800 | docusign.co.uk Follow Us: eIDAS: A new regulation for electronicCopyright © 2003-2016 signature DocuSign, and Inc. All businessrights reserved. acrossDocuSign, theEU DocuSign borders logo, “The Global Standard for Digital Transaction Management”, 2 “Close it in the Cloud”, SecureFields, Stick-eTabs, PowerForms, “The fastest way to get a signature”, The No-Paper logo, Smart Envelopes, SmartNav, “DocuSign It!”, “The World Works Better with DocuSign” and ForceFields are trademarks or registered trademarks of DocuSign, Inc. in the and or other countries. All other trademarks and registered

trademarks are the property of their respective holders.